I'm not even a front end guy but I'm pretty sure the field they are adding the user message to should handle the style, not the user message.

If one uses common choices [e.g. Markdown] that isn't how the parsers are designed.

It is [message] -> [parse] -> [sanitize], generally.

If you want to enable user markup, then build a simple parser, and use that to generate the correct styling you require.

My point was:

A) It was not as simple as you suggested if there was markup involved in the message.

B) They'd have to use a parser and I linked to a parser that sanitizes that was once used in a pretty big network of sites.

I'm uncertain if you misunderstood or are simply agreeing with me in a tone of writing that makes it sound like you disagree.

I think the point was that it's inherently less safe to allow arbitrary markup and then attempt to sanitize it, than to make a full parser that's incapable of generating unsafe HTML at any stage, all other things being equal.

The safety of widely-deployed Markdown + sanitizer libraries is largely thanks to testing at scale and a history of patches for XSS vulnerabilities.